Office 365 / Exchange Online – DKIM Config

Exchange-Admin-DKIM

If you’re using Exchange Online for hosting your e-mail, and using a custom domain, you should probably check and see if you have DomainKeys Identified Mail (DKIM) configured.

DKIM is a configuration that allows a receiving domain to verify that an e-mail was sent from an authorized user and domain and was not modified in transit.

By default Office 365 / Exchange Online enables DKIM for self hosted domains (things like domain.onmicrosoft.com), but that doesn’t transition over to your primary or vanity domains… so for example, my domain, santsys.com did not have DKIM enabled, but my registration domain, santsys.onmicrosoft.com was enabled.

Read more

Exchange Online Connected Accounts

When I initially switched over to Exchange Online a couple of weeks ago, I was stoked for the “Connected Accounts” functionality that it offered. The idea of a consolidated inbox sounded too good to be true. Unfortunately that proved to be all too true. This isn’t a total bash on the feature, it’s just not something that really “works” for what I was trying to do with it (and hoped it would be able to do).

So first things first, here is what it does ok… It downloads e-mail from (up to 5) POP/IMAP accounts and puts that mail into your Exchange Inbox. It allows you to send messages “on behalf of” those connected accounts on systems that can handle it. In my trials, for actually sending mail from the connected accounts, Outlook and the Outlook Web Client that is provided were the only systems able to correctly use the connected accounts to send. iOS devices send from the default Exchange account when replying to a message, not the alternate address, and on top of that, you can’t even select the additional addresses as options to send from when creating a new message. So it pretty much doesn’t work at all in the case of iOS.

What it doesn’t do well (at all)… Is provide a transparent layer for multiple e-mail accounts. What I mean by that is that if you have two e-mail addresses, your main Exchange account, lets say user@domain.com and a connected account user@domain2.com; If you send an e-mail in Outlook from user@domain2.com, it will display to the receiver (depending on their mail client) basically saying the message was sent “on behalf of” user@domain.com. Here are some examples of how that looks in a few mail systems.

Outlook:


Gmail:


For someone like myself who is a consultant and has many e-mail addresses and doesn’t necessarily want clients to see e-mails coming from one address when they should be from another, it can be problematic. It can also make for unhappy employers, etc.

Gmail offers some ways around these issues, using “Send mail as” functionality that has a much cleaner implementation and actually allows you to use external SMTP servers to send mail. So no more “on behalf of” in your connected accounts messages. It also allows you to join up POP/IMAP accounts to download messages.

This leads to the logical progression of why didn’t I just use Gmail (and Google Apps) instead of Exchange Online? Well, for me, I like the other features of Exchange, like the Calendar, Contact syncing and just the overall experience of the Exchange System. Also, the overall integration with Outlook is quite nice. The Gmail experience might be up to par now, but in my past experiences, the actual Exchange integration just works better.

So, you might ask next, what did I decide to do? Well, it’s not really a work around, or even some other form of consolidation. What I ended up doing is adding all of my accounts individually to Outlook, on my iPhone and my iPad. And you guessed right, that means a lot of accounts. But, it does offer some benefits… the main one being total segregation of my e-mail accounts, no messages will ever be sent on behalf of another account, etc. In Outlook, utilizing the Favorites section for mail, it allows me to see all of my main inboxes in one place and doesn’t really take away much from the experience. I am one of those Outlook users that is used to using the “Folder List” view, but I’m quickly adapting to mostly using the “Mail” view.

Here is what my favorites list looks, you can see the 3 main inboxes for the accounts I use most frequently at the top.

The main up-in-the-air items that are yet to be determined is the performance hit that Outlook will take, it’s now checking multiple accounts instead of just one Exchange account. And what the impact will be on the battery life of my phone and other mobile devices. My guess is that both Outlook and the mobile devices will take a hit, but hopefully it won’t be too bad.

Hopefully, Microsoft will update the Connected Account functionality sometime sooner rather than later, I know it would make me very happy. But until then, this should get the job done!

What are your thoughts?

Some more information:

Exchange Online

Tired of having partial integration of e-mail, kind of working calendar and mediocre contact syncing? I sure was! So I decided to upgrade to Exchange Online. Hosted Exchange seemed to fit the bill for the basics that I was looking for, mainly better integration between devices. I often do work from a desktop with Outlook, from my Cell Phone, various laptops via Web Mail and an iPad. Being able to change a contact on one, and have all of the devices update, or create a calendar invite and have it go to everything was crucial and a huge time saver.

I reviewed various options out there, but for the price Exchange Online from Office 365, Microsoft, seemed to be the best bang for my buck, especially with the basic features that I was looking for.

The basic “features” for the generic Exchange Online Plan 1 are:

  • Users can retrieve email, calendars, and contacts from almost anywhere using their computer, browser, or phone.
  • 25 GB user mailboxes that integrate seamlessly with Outlook and can send attachments up to 25 MB.
  • Access to easy-to-use online management tools that let you administer user permissions and service settings and setup email on your domain.

Domains

For the trial Microsoft creates a testing domain for you, [domain name].onmicrosoft.com. You can use this domain for testing, etc. But adding your real domain is a quick and simple process. Basically it just requires adding a DNS TXT record to identify that you are the owner of the domain. Once you do that your domain will be verified and you can start to add accounts using the new domain as the primary e-mail address for users.

After your domain is added, you simply have to update your DNS settings to point your MX records to the Microsoft servers. They even provide you updated SPF records! Make sure you have added mailboxes, tested, and made a backup of your DNS before making any changes to your DNS!

Exchange Management

There is a pretty robust management system for Exchange, giving you easy web access to most things you could ever want to change (at least for my implementation).

Management is broken up into multiple categories, Users & Groups, Roles & Auditing, Mail Control and Phone & Voice. Under each of those categories you have access to specific tasks.

Users & Groups

You can access Mailboxes, Distribution Groups, External Contacts, and E-Mail Migration configurations under this group.

Roles & Auditing

You can access Administrator Roles, User Roles and Auditing options under this group.

Mail Control

You can access Rules, Domains and Protection, Retention Policies, Retention Tags, Journaling and Delivery Reports in this group.

From the Domains and Protection tab you also have access to Forefront Online Protection for Exchange (FOPE). This has some cool functionality and reporting features and gives you some really good control over your mail flow. Unfortunately I’m not too familiar with the inner workings of Forefront, so I won’t go into too much detail on that.

I did have some basic issues getting users added into FOPE. There is an issue with adding administrator accounts because of how the Single Sign-On process works. I had to open a support case with Microsoft to get more details on this, but its a quick process to get it fixed up.

The issue presents its self for Global Administrator accounts, if you access FOPE and don’t have an account already created you get access errors when trying to perform tasks and view your quarantine.

To fix the issue, Microsoft provided the following details:

Office 365 administrators cannot sign in to the Forefront Online Protection for Exchange (FOPE) Quarantine service to access mail quarantine:

To resolve this issue, use a second Office 365 administrator account to temporarily remove the Office 365 administrator role from the initial user account in the Office 365 portal, manually add the user account to the FOPE Administration Center, and then reassign the administrator role to the user account in Office 365. To do this, follow these steps:

  1. If you are not already signed in, sign in to the Office 365 portal by using Global administrator credentials. Do not sign in by using the Office 365 administrator account that is experiencing the issue.
  2. Check and remove the global administrator role from the user account in the Office 365 portal. To do this, follow these steps:
    1. In the Office 365 portal, click Admin, and then click Users in the left navigation pane.
    2. Click the global administrator account that you want to modify, and then click Settings.
    3. Note the value of the role assignment.
    4. Under Assign role, click No, and then click Save.
  3. Add the user account to the Users list in the FOPE Administration Center. To do this in the ECP, follow these steps:
    1. In the left navigation pane, click Roles & Auditing, and then click Configure IP safe listing, perimeter message tracing, and e-mail policies in the right pane.
    2. Click Administration, and then click Users.
    3. In the Tasks pane, click Add User.
    4. In the Add New User dialog box, enter the email address of the user account. Do not assign administrator permissions to this account.
    5. Click Save.

      Note If you cannot add the FOPE user account, contact technical support for help.

  4. Restore the administrator roles that you noted in step 2c and step 3e to the administrator account.


Note
To prevent this issue from occurring to other future administrator accounts, first add the user account as a standard FOPE user account in the FOPE Administration Center (see step 4), and then add the administrative permissions to the account in Office 365.

They also sent along the following documents as additional reference for accessing and supporting FOPE:

Users & Mailboxes

You have a basic UI for managing existing users and creating new users online, thre are also integration features such as Active Directory Synchronization and Single Sign-on. This is not a feature that I am using, but there are a lot of options for getting your company seamlessly integrated with Microsoft Online. More information on that here, http://onlinehelp.microsoft.com/en-us/office365-enterprises/ff652540.aspx.

From the user management pages, you can go in and directly manage users mailboxes. Setup contact information view mailbox size, etc.

  • General information – Name, Display Name, etc.
  • Mailbox Usage
  • Contact Information – Address, Phone Number, etc.
  • Organization Details – Title, Department, Company, Manager, Direct Reports
  • E-Mail Options – Primary E-Mail Address, Other E-Mail Addresses
  • Mailbox Settings – Mailbox Plan, Role Assignment Policy, Retention Policy
  • MailTip – MailTip to be displayed when people send e-mail to this mailbox.
  • Mailbox Features – Enable/disable extra features (Archiving, etc)
  • Phone & Void Features – Enable/disable voice features
  • Basically everything you would expect to have access to. The UI isn’t the most seamless, and there are some little bugs here and there, but overall it works really well and gets the job done!

    E-Mail Migration Process

    My e-mail migration process was super simple, basically I made a backup (as you always should before doing any major changes) to my existing outlook PST file. Then closed out of outlook, went into the mail settings via Control Panel , then created a new profile named “Santomieri Systems – Exchange”.

    This new profile, if you have your autodiscover DNS setup correctly, should link right up to Exchange Online and fill in all of your settings. And for me, that was pretty much it as far as setup goes.

    Then for mail import, you simply open up Outlook, Go to File > Options > Advanced > Export > then click on the Export button. Then select “Import from another program or file”. Then click Next, and select “Outlook Data File (.pst)” and then select your old Outlook PST file, and that’s about it! Your mail will load in and then be synced to Exchange (that may take a while depending on the amount of data and how fast your internet connection is).

    Also once you are all linked up to Outlook you get cool features like seeing your mail quote in Outlook, server processed rules, etc. Basically all of the great things about Exchange, at a bargain price!

    So to sum everything up, my migration to exchange online, for a couple users, took about a week. That included some basic testing and planning around moving everything that I needed to move, documenting outlook rules, re-evaluating folder structure, etc. Now that the move is done, I have everything working with my iPhone, iPad, laptops, desktops and web mail, and it is GREAT! I’m probably saving 1-2 hours a day just in going through e-mail alone!